diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 67f3e3e8..246457b5 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,6 +1,8 @@ stages: - lint + - ping-test - deploy-test + - ping-prod - deploy-prod variables: @@ -24,7 +26,7 @@ markdown-lint: stage: lint image: pipelinecomponents/markdownlint:latest script: - - mdl --style all --warnings . + - mdl --style all --warnings --rules ~MD022,~MD013 . interruptible: true allow_failure: true rules: @@ -32,6 +34,25 @@ markdown-lint: tags: - ansible +ping-test: + image: quotengrote/gitlab-ci-ansible:latest + stage: ping-test + interruptible: true + before_script: + - chmod 0755 /builds/mg/ansible + - echo "$id_rsa_ansible_user" > /builds/mg/ansible/id_rsa_ansible_user + - chmod 0400 /builds/mg/ansible/id_rsa_ansible_user + script: + - ansible -i inventory --limit test --vault-password-file $ansible_vault_pass all -m ping + after_script: + - rm /builds/mg/ansible/id_rsa_ansible_user + rules: + - if: $CI_MERGE_REQUEST_ID + tags: + - ansible + + + ansible-deploy-test: image: quotengrote/gitlab-ci-ansible:latest stage: deploy-test @@ -49,6 +70,23 @@ ansible-deploy-test: tags: - ansible +ping-prod: + image: quotengrote/gitlab-ci-ansible:latest + stage: ping-prod + interruptible: true + before_script: + - chmod 0755 /builds/mg/ansible + - echo "$id_rsa_ansible_user" > /builds/mg/ansible/id_rsa_ansible_user + - chmod 0400 /builds/mg/ansible/id_rsa_ansible_user + script: + - ansible -i inventory --limit production --vault-password-file $ansible_vault_pass all -m ping + after_script: + - rm /builds/mg/ansible/id_rsa_ansible_user + rules: + - if: $CI_COMMIT_BRANCH == 'master' + tags: + - ansible + ansible-deploy-prod: image: quotengrote/gitlab-ci-ansible:latest stage: deploy-prod diff --git a/README.md b/README.md index 11ab1107..57e54641 100644 --- a/README.md +++ b/README.md @@ -2,21 +2,25 @@ [![pipeline status](http://git.mgrote.net/mg/ansible/badges/master/pipeline.svg)](http://git.mgrote.net/mg/ansible/-/commits/master) - ## Ansible KeePass Lookup Plugin aktualisieren + ```bash pip install 'pykeepass>3.2.0' --user mkdir -p ~/.ansible/plugins/lookup && cd "$_" curl https://raw.githubusercontent.com/viczem/ansible-keepass/master/keepass.py -o ./keepass.py ``` + ## collections als Dependency + - in meta -``` + +```yaml collections: - community.general ``` ## defaults in Dictionary + ```bash - name: "register_runner" community.general.gitlab_runner: @@ -29,7 +33,6 @@ description: <-- Original-Variable default('GitLab-Runner') }}" <-- wenn Inhalt leer, dann default... ``` - ## [playbook-grapher](https://github.com/haidaraM/ansible-playbook-grapher) `ansible-playbook-grapher --include-role-tasks tests/fixtures/with_roles.yml` @@ -43,7 +46,8 @@ default('GitLab-Runner') }}" <-- wenn Inhalt leer, dann default... `ansible-galaxy collection list -vvv` ## fix ansible vault-permissions -``` + +```bash sudo chmod 400 id_rsa_ansible_user sudo chmod 400 vault-pass.yml ``` @@ -60,12 +64,14 @@ Diese Datei enthält das Passwort mit dem die KeePassDb verschlüsselt ist. Das vault-secret für die GroupVars wird mit `ansible-vault encrypt_string ` erstellt. ### Erklärung + ```yaml keepass_dbx: "./keepass_db.kdbx" keepass_psw: !vault | $ANSIBLE_VAULT;1.1;AES256 62383737XXXXXX531 ``` + 1. mit vault-pass.yml wird das Kennwort an ansible-vault übergeben 2. ansible-vault entschlüsselt hiermit die Variable `keepass_psw` 3. der Inhalt der Variable wird dann an das KeePass-Lookup-Plugin übergeben was damit die KeePass-Datei öffnet @@ -74,6 +80,7 @@ Das vault-secret für die GroupVars wird mit `ansible-vault encrypt_string